I agree in that flow cache is bad and it should not be used.
Everything is not black or white.
A flow cache can accelerate for example Access Control Lists and/or firewalling, since only the first packet needs to be verified.
Cisco just added ACL bypass for firewall, which is a similar feature. http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html
It only takes x num. of kpps with diverse destinations to knock off a router running flow based caching.
Yep, that is true and its hard to work around.
Extreme switches use flow based caching (called ipfdb) and any DoS attack that uses diverse destinations will kill it pretty quickly..
Cisco's newer stuff does the flow-cache independent of the forwarding, i.e. the flow is more of an accounting cache.
--Anders, not affiliated with Cisco
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
